Software as a Service (SaaS): Role Within Technology Services

Software as a Service (SaaS) occupies a distinct structural position within the broader cloud technology services landscape, sitting at the topmost layer of the cloud delivery stack alongside Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). This page covers SaaS's formal definition, the technical mechanism by which it delivers software, the professional and regulatory contexts in which it operates, and the criteria that distinguish it from adjacent service models. These distinctions carry direct consequences for procurement decisions, vendor contracts, compliance obligations, and liability boundaries.

Definition and scope

SaaS is a software delivery model in which a vendor hosts an application on remote infrastructure and makes it accessible to customers — typically through a web browser or lightweight client — on a subscription or consumption basis. The customer does not manage, patch, or provision any underlying servers, operating systems, or middleware. That operational responsibility rests entirely with the provider.

The National Institute of Standards and Technology (NIST) defines SaaS formally in Special Publication 800-145 as a cloud service model in which "the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure." Under this definition, the consumer controls only limited user-specific application configuration settings — nothing beneath the application layer.

SaaS spans a wide functional range. The types of technology services delivered under the SaaS model include customer relationship management (CRM), enterprise resource planning (ERP), human capital management (HCM), productivity suites, business intelligence platforms, and security information and event management (SIEM) tools. Each category carries its own regulatory profile. Healthcare SaaS vendors processing protected health information are subject to the HIPAA Security Rule (45 CFR Part 164), while financial sector deployments intersect with guidance from the Federal Financial Institutions Examination Council (FFIEC).

How it works

SaaS delivery rests on a multi-tenant architecture in which a single software instance serves multiple customer organizations simultaneously, with logical isolation enforced at the data and access control layers. This contrasts with traditional on-premises software, where each organization maintains a dedicated installation.

The technical delivery sequence follows a defined operational structure:

Provisioning — The vendor allocates tenant space within a shared application environment. Identity and access management (IAM) credentials are issued to the customer organization.
Authentication — End users authenticate through mechanisms such as SAML 2.0, OAuth 2.0, or OpenID Connect, often federated with the customer's own identity provider.
Session delivery — Application logic executes on vendor-controlled servers. The user interface is rendered in a browser or thin client; no executable application files are stored locally.
Data handling — Customer data is written to a vendor-managed database, encrypted at rest and in transit according to the provider's stated controls and any applicable regulatory requirement.
Updates and patching — The vendor deploys patches, feature updates, and security fixes across all tenants simultaneously, without customer action. This is a defining characteristic that separates SaaS from hosted or managed software.
Monitoring and SLA enforcement — Uptime, latency, and availability are tracked against contractual commitments. Technology services contracts and SLAs govern remedies for service degradation.

NIST's cloud computing reference architecture (SP 800-145) defines five essential characteristics of cloud services — on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service — all of which apply to well-formed SaaS deployments.

Common scenarios

SaaS appears across industry verticals in both commodity and specialized forms. The following deployment scenarios represent the primary categories encountered in professional and procurement contexts.

Enterprise productivity and collaboration — Platforms such as those covered under productivity suite categories deliver email, document creation, video conferencing, and workflow automation under a per-seat subscription. These deployments typically involve thousands of user accounts and require integration with existing directory services.

Vertical-specific SaaS — Healthcare technology services rely on SaaS-delivered electronic health record (EHR) platforms, telehealth portals, and claims processing systems, each requiring Business Associate Agreements (BAAs) under HIPAA. Financial sector technology services use SaaS for trading platforms, loan origination systems, and regulatory reporting tools subject to SOX and Regulation S-P.

Security as a SaaS delivery — Security information, endpoint detection, and identity management tools are increasingly delivered through the SaaS model. Cybersecurity as a technology service encompasses cloud-delivered SIEM, vulnerability management, and zero-trust network access (ZTNA) platforms — all of which follow SaaS operational mechanics while carrying enhanced data sensitivity requirements.

Small business deployment — Technology services for small business commonly depend on SaaS because it eliminates the capital expenditure of on-premises infrastructure. Accounting, point-of-sale, payroll, and marketing automation platforms are delivered entirely through the SaaS model with no dedicated IT staff required on the customer side.

Government procurement — Government and public sector technology services increasingly procure SaaS through FedRAMP-authorized offerings. The Federal Risk and Authorization Management Program (FedRAMP) requires cloud service providers — including SaaS vendors — to achieve a standardized security authorization before federal agencies may deploy their platforms.

Decision boundaries

The choice between SaaS and adjacent delivery models — particularly PaaS and self-hosted software — depends on four structural factors: control requirements, customization depth, data sovereignty obligations, and total cost profile.

SaaS vs. PaaS — PaaS provides a development and runtime environment; the customer builds and deploys custom applications on top of it. SaaS delivers a complete, pre-built application. Organizations requiring proprietary application logic or deep workflow customization may find PaaS more appropriate. Those requiring rapid deployment of standard business functions favor SaaS. The software-as-a-service overview and the broader types of technology services pages provide classification context across the full cloud stack.

SaaS vs. on-premises — On-premises deployments give organizations direct control over infrastructure, patch timing, and data residency. SaaS removes that control in exchange for reduced operational overhead. Regulated industries with strict data localization requirements — particularly in sectors where cross-border data transfer restrictions apply — may face constraints on SaaS adoption that do not affect on-premises alternatives.

Compliance decision points — Technology services compliance and regulations govern SaaS differently than IaaS. Under a SaaS model, the vendor inherits responsibility for infrastructure-layer controls (physical security, hypervisor patching, network segmentation), while the customer retains responsibility for access provisioning, data classification, and configuration settings. This shared responsibility model, formalized in guidance such as NIST SP 800-210 (General Access Control Guidance for Cloud Systems), requires clear contractual articulation of which party controls each control domain.

Vendor management considerations — SaaS introduces single-vendor dependency for application availability. Technology services vendor management practices address exit rights, data portability obligations, and audit access — factors that are more operationally complex in SaaS than in models where the customer retains software licenses and underlying data infrastructure.

Evaluating SaaS against these boundaries is part of a broader technology services risk management process and connects directly to how organizations structure their technology services procurement workflows. The knowledge graph authority index provides cross-sector reference context for navigating these decisions within the full technology services landscape.

References

NIST Special Publication 800-145: The NIST Definition of Cloud Computing — National Institute of Standards and Technology
NIST Special Publication 800-210: General Access Control Guidance for Cloud Systems — National Institute of Standards and Technology
FedRAMP — Federal Risk and Authorization Management Program — U.S. General Services Administration
45 CFR Part 164 — HIPAA Security and Privacy Rules — U.S. Department of Health and Human Services via eCFR
FFIEC IT Examination Handbook — Outsourcing Technology Services — Federal Financial Institutions Examination Council

Explore This Site

Services & Options Key Dimensions and Scopes of Technology Services Tools & Calculators Website Performance Impact Calculator FAQ Technology Services: Frequently Asked Questions Overview Technology Services: What It Is and Why It Matters